rxcomm
commented
9 years ago The Axolotl spec says that a key definition function should be used to derive the initial key state from the master key. However, it does not specify what this KDF is. So any given implementation of the Axolotl protocol makes a choice of the KDF to use.
Similarly, the Axolotl spec only says that a symmetric encryption function should be used, and some kind of HMAC should be used, but does not specify which one.
pyaxo uses AES256 as the default encryption function, HMAC-SHA256 as the HMAC, and PBKDF2 as the KDF [salted differently to generate the Rk, HKs(r), NHKs(r), and CKs(r)].
Obviously to interoperate with TextSecure, pyaxo would need to use the same encryption function, HMAC, and KDF as TextSecure does. As you correctly point out, this is not the case and therefore an application based on pyaxo cannot interoperate with TextSecure. Different engineering choices were made for different applications.
HTH Dave
schnef
Dear rxcomm,
Love your implementation of the Axolotl stuff, but was wondering on what information you based the derivation of the Rk, HKs etc. from the master key (lines 180+). The protocol v2 specification doesn't mention how these keys should be derived and the libaxolotl-java implementation doesn't use the header keys. There are more differences between your implementation and the TextSecure implementation. On what specs do you base your code?
TIA
LeMoi